This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark filters using “and” vs “&&"

0

Hi,

I am trying to build a capture filter on some traffic which contains VLAN tags. The frames happen to contain two VLAN tags. I don't really care what VLANs they are, as I am mainly interested in the destination IP and port number.

If I use this capture filter below, I dont see any traffic:

tshark -i eth1 vlan and host 192.168.0.1

However, if I change my filter to this:

tshark -i eth1 vlan && host 192.168.0.1

everything works fine. Does anyone know the difference between using "and" vs "&&"? Does it have anything to do with the multiple VLAN tags?

Thanks

asked 21 May '12, 06:59

Gian%20Sartor's gravatar image

Gian Sartor
1112
accept rate: 0%

edited 21 May '12, 15:00

helloworld's gravatar image

helloworld
3.1k42041

One Answer:

4

&& has a special meaning in your shell.

command1 && command2
command2 is executed if, and only if, command1 returns an exit status of zero.

So, the difference between your two commands is:

The command:

tshark -ni eth1 vlan and host 192.168.0.1

shows only VLAN tagged traffic to and from host 192.168.0.1.

The command:

tshark -ni eth1 vlan && host 192.168.0.1

runs actually just this command (due the the special meaning of &&):

tshark -ni eth1 vlan

tshark will show any VLAN tagged traffic (without host filter). If that command exits with code 0, the shell would then run this command:

host 192.168.0.1

The result of the host command (if installed on your system) would be something like this:

Host 1.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN)

BTW: If you want to use && in the capture filter, you'll have to "escape" it for the shell with single quotes.

tshark -ni eth1 'vlan && host 192.168.0.1'

This is identical to:

tshark -ni eth1 'vlan and host 192.168.0.1'
tshark -ni eth1 vlan and host 192.168.0.1

Regards
Kurt

answered 21 May '12, 07:35

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 21 May '12, 15:04

helloworld's gravatar image

helloworld
3.1k42041

(Presumably, no vlan traffic is going to or from 192.168.0.1, so a filter that tests for both will see no packets, but a filter testing only for VLAN frames will see packets. From the point of view of libpcap/WnPcap, which both tcpdump and Wireshark use for capture filters, and and && behave exactly the same.)

(21 May '12, 09:55) Guy Harris ♦♦
1

Kurt, thanks for your response. this makes perfect sense now. So although I was seeing traffic which contained vlan tags, the filter by host wasn't actually getting applied... gotcha!

Incidentally, I had a few more attempts on the filter for packets with multiple vlan tags and I think I got it working. This is what I ended up with -

tshark -i eth1 "vlan and (vlan and host 192.168.0.1)"

Thanks again Gian

(23 May '12, 07:57) Gian Sartor

Gian,

tshark -i eth1 "vlan and (vlan and host 192.168.0.1)"

you don't need vlan twice. This should be equivalent to your command:

tshark -i eth1 "vlan and host 192.168.0.1"

(23 May '12, 08:13) Kurt Knochner ♦
2

Kurt,

tshark -i eth1 "vlan and (vlan and host 192.168.0.1)"

Will look for an IP address after TWO vlan headers (ie Q-in-Q), which is different from what happens when using the vlan directive once. As Gian said: "I had a few more attempts on the filter for packets with multiple vlan tags" :-)

(yes, my first reaction was also: "Hey, you don't need two vlan directives"!)

(23 May '12, 08:19) SYN-bit ♦♦

packets with multiple vlan tags

Ah, good catch :-) Thanks for the hint...

(23 May '12, 08:31) Kurt Knochner ♦